Why financial institutions must move quicker on quantum

an article written by Andersen Cheng – Chairman Post Quantum and CEO at Nomidio

For most people reading this, a functioning quantum computer will probably still feel quite fictional — an innovation that’s still light years away. There’s also the idea that, well, wouldn’t a functioning quantum computer be a good thing? Won’t a functioning machine, for example, be able to effectively analyse large or unstructured data sets, to have the technological power to react faster to market volatility?

Yes, most likely, but the price to pay is cryptography. As with most cybersecurity threats in this world, the banking and financial sector is firmly in the crosshairs of those looking to cause damage and harm. 

It’s not like there’s no recognition of the threat. For example, The Bank for International Settlements (BIS) recently said it was poised to onboard more central banks and private banks in a new phase of its project to ‘quantum-proof’ payment systems. However, the sector still lacks preparedness as a whole, begging the question: are we sleepwalking into a security crisis in financial services? 

The threat explained 

Timescale aside for a moment – everyone in the sector needs to recognise that the threat of a functioning cryptographically relevant quantum computer (CRQC) is absolute. It will break through the public-key encryption (PKC) used to protect us in virtually the entire digital world that we take for granted today. ItThat means that data, no matter how secure it may be right now, will be vulnerable to a future attack on a scale never seen before.

In finance, this means that all client data, balance sheets, asset purchases, and money transfers will be left defenceless. For example, public asset records, preserved in ledgers like the Land Registry, serve as the basis for property ownership, mortgages, and related securities. As with private ledgers, encryption safeguards may be in place to protect these records. But an attacker with access to a functioning quantum machine could manipulate encrypted data, tamper with records, rewrite ownership of assets, and create fraudulent transactions. This would compromise the accuracy and transparency of these ledgers.

Some technologists claim blockchain would be the solution. However, virtually all blockchains are not quantum-safe and even if they all were, there is still a threat that current thinking cannot address.  Blockchain only provides immutability but not security.  It is not a preventative measure and will merely record beyond doubt and post-the-event that someone has stolen your assets. This is where hackers will come in to destroy the trust in the entire ecosystem. Having a quantum-safe identity solution is essential to ensure access to blockchained and other records is future-proof.

Just focusing on this moment of absolute vulnerability downplays the risk entirely. In reality, the threat quantum machines pose is already here today in the form of Harvest Now, Decrypt Later (HNDL) attacks. That is, sensitive data with a long shelf life – anything from Personal Identifiable Information (PII), to financial asset data – is being harvested by those intending to decrypt it once a sufficiently powerful quantum computer arrives. Evidence of this risk is demonstrated by the increasing frequency of data breaches and cyberattacks targeting financial institutions. 

Initial action, but does it go far enough? 

The industry has begun to take initial steps to tackle these issues. HSBC, for example, has piloted a quantum-secured metro network in London. The bank intends to use a quantum-secured metro network to evaluate secure transmission of data across standard fibrefiber-optic cables between its global headquarters at Canary Wharf in London’s Docklands, and a datacenter 62km (38 miles) away in Berkshire. 

Last year, the BIS and two of Europe’s central banks established a channel that can protect financial data. Dubbed ‘Project Leap’, the BIS Innovation Hub Eurosystem Centre worked with the French and German central banks’ to design a channel that will use quantum-safeprotect cryptographic algorithms, which protect sensitive financial data from being penetrated by powerful quantum computers.

But even despite these projects making some progress, the sector must go further. Take the BIS project – at this stage, it only aims to quantum-proof edge-to-edge communications, or the parts of the communication chain that happen from the perimeter of the central bank, to the perimeter of another central bank. This is also called a ‘last-mile’ problem, and simply protecting communications from the edges of central banks, rather than end-to-end user protection, leaves an obvious target for an attacker. 

Interoperability is also another problem. Today, everybody uses the same encryption algorithms, but what happens when BIS wants to add more countries outside of France and Germany? We’ve already seen the likes of Germany opting for algorithms such as Classic McEliece, which is at odds with the Kyber algorithms selected by the National Institute of Standards and Technology (NIST) in the US. In essence, what might work and be interoperable for a link between two institutions will likely face implementation challenges when scaling across the multi-layered globalised payments infrastructure. 

Ultimately, what the BIS demonstrates is the huge scale of the challenge in front of financial institutions. Every database must be re-encrypted with future proof algorithms. All apps will have to be re-coded. This is not just a press of a button, and will take years, if not decades to complete if the entire sector is to be fortified. The bigger institutions will have the bandwidth and finances to take action – some indeed already have. But it will take a long time until we can say the sector is quantum-proof. 

Follow the article in full here

Photo credit: Finextra